Enquiry Form 
Australian Government 


Office of the Australian Information Commissioner 


Reference Code: XHSMW6M6 


About this form 


You can use this form for general enquiries about the roles and functions of the Office of the Australian 
Information Commissioner (OAIC) and the laws it regulates. 


Your enquiry 


Details of your enquiry * 
| have become aware of two data breaches by major organisations: A breach by a Google partner 
around the 7th January 2021 as reported in the attachment - | subscribed to a Google Privacy 
Checkup, only to find a whole set of compromised passwords, including email, was reported. How 
come Google was not required to inform me of this? 


| also read of a breach of 180,000 NSW services customers on or about the 7th September 2020 - 
for which | would have expected a message to say whether | was amongst those or not. 


While the latter Services NSW breach leaves me with a feeling of uncertainty, the former Google 
breach is deeply concerning. It seems that in both these cases, and for all | know, many other 
instances, the Mandatory Breach Notification legislation is about as effective as boiling pasta in a 
saucepan made out of chicken wire. 


My inquiry is this: What are the loopholes that are resulting in these failures, particularly the very 
specific Google breach? 


If you have contacted us before on this matter, please provide your original reference number 


Do you require a response from OAIC? * 


Yes No 


Supporting information 


You may also attach other relevant information that supports your application. 


Do you have any electronic document that you want to send electronically with this form? 


Yes No 


You may attach other relevant information that supports your enquiry by using the "upload file" button 
below. * 


Files you attach must: 
e bein *.pdf, *.docx, *.doc, *.txt, *.jpg, *.gif or *.png format 


© be limited to five files 
e in total be no larger than 20MB. 


Password Checkup.pdf w 


Amazon won't disclose identity of company linked to driver's licence data breach, NS... wo 


Your details 


You can use a pseudonym 


Title 


Given name * 


Matt 


Family name * 


Balogh 


Preferred Contact Method * 


Email Address * 


mbalogh@bloggs.id.au 


Phone (daytime) 


Mobile 


0417 240 665 


Postal address 


Other contact details (eg. fax or international address) 


74 Moonbie Street, Summer Hill, NSW 


Your personal information 


We will handle your personal information in accordance with the Australian Privacy Principles 
(https://www.oaic.gov.au/privacy/australian-privacy-principles/). 


What will we do with your information? 


We will use the information you have provided to handle your enquiry. 


What information will we collect? 


We may need to collect further information from you in order to handle your enquiry. If you do not provide this 
information to the OAIC, it may affect how we handle your enquiry. In some circumstances, it may mean we 
are not able to handle your enquiry. 


Accessing your information 


If you would like to access information that the OAIC holds about you, please contact our enquiries line at 
enquiries.gov.au. You can also find more information on the Access our information 
(https ://www.oaic.gov.au/about-us/access-our-information/) page on our website. 


If you have any questions about the personal information we collect and how we will handle your information, 
please contact the OAIC or see our privacy policy (https://www.oaic.gov.au/privacy-policy-summary) available on 
our website. 


Submitting your enquiry 


Please review the information contained in your enquiry. 


Once you submit your form, you will be taken to a confirmation page. This page will provide a receipt number for 
your submission, and you will be able to download a copy of your completed form or have a copy sent to an email 
address of your choice 


Matt Balogh 


From: Matt Balogh 

Sent: Tuesday, 2 February 2021 2:54 PM 

To: Enquiries 

Subject: RE: OAIC enquiry: EN21/00697 [SEC=OFFICIAL] 


Dear Antonella, 
Thanks for your response. 


Could you please clarify, in the instance that there is a publicly known data breach, such as the Goggle example 
below, and I now am aware of a Facebook one, dl | understand that until someone within the organisation, or a 
victim of the breach lodges a complaint, the OAIC cannot act? And secondly, does that mean that your team may 
read in the media of a large data breach — but unable to act, because no eligible complaint has been made? 


Regards 


Matt Balogh 

Doctoral Candidate 
School of Science and Technology, UNE 
+61 (0) 417 240665 Australia 


Intelligent information and document management 
Reviewing research for quality and compliance 
mbalogh@bloggs.id.au 


The 2019-20 
Research GEE QPR 


Society QUALIFIED PROFESSIONAL RESEARCHER 


From: Enquiries <enquiries@oaic.gov.au> 

Sent: Monday, 1 February 2021 4:58 PM 

To: Matt Balogh <mbalogh@bloggs.id.au> 

Subject: OAIC enquiry: EN21/00697 [SEC=OFFICIAL] 
Dear Matt, 

Thank you for your enquiry. 


| understand you have concern with potential data breaches. 


Please note that state government is regulated by state laws. As such you will need to contact New South Wales: 


Information and Privacy Commission for concerns against Service NSW. 


With regards to Google, we generally advice you alert them so they may take appropriate steps to respond to the 
data breach. Under the Notifiable Data Breaches scheme in the Privacy Act 1988 (Cth) (the Act), responsibility to 
assess and respond to a data breach lies with the organisation responsible for the records. The obligation to 
assess and possibly notify of a data breach does not extend to individuals not a part of the organisation that 


become aware of a possible data breach. 


Individual Rights 


APP 11 outlines that organisations must take reasonable steps to protect the personal information they hold from 
misuse, interference, loss, unauthorised access, modification and disclosure. If you believe the organisation has 
not complied with APP 11 when handling your own personal information, you may wish to lodge a privacy 


complaint. Please note that you cannot complain on behalf of an individual unless authorized to do so. 


| hope this information has been useful. For further enquiries, please call the general enquiries line on 1300 363 


992. 
Yours sincerely, 


Antonella | Enquiries Officer 

Dispute Resolution Branch 

Office of the Australian Information Commissioner 
GPO Box 5218 Sydney NSW 2001 | oaic.gov.au 


1300 363 992 | enquiries@oaic.gov.au 
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WARNING: The information contained in this email may be confidential. 
If you are not the intended recipient, any use or copying of any part 

of this information is unauthorised. If you have received this email in 
error, we apologise for any inconvenience and request that you notify 
the sender immediately and delete all copies of this email, together 


with any attachments. 
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